FIOS Port 4567
While checking the security of my home network I ran an nmap scan on my IP, which showed several unexpected open ports. This page is to remind me what I did - and maybe help others.
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
992/tcp open telnets
4567/tcp open tram
8080/tcp open http-proxy
8443/tcp open https-alt
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
23, 992, 8080 & 8443 are the remote admin ports defined in the router setup, despite being disabled they remain publicly visible. I'll worry about them later.
4567 ??? TRAM? No - did I have a trojan? Increasing nmap scan nmap -A <my ip> shows more detail. Of note http using a digest protocol. Opening a browser to that address:port prompts a login. Normal router (administrator) logins do not work. Interesting.
4567/tcp open http Actiontec TR069 remote access
| http-auth:
| HTTP/1.1 401 Unauthorized
|_ Digest qop=auth opaque=0 nonce=7b7119c8a830214582f85e2d38ae48f3eb53cbf5 realm=ActiontecBHR
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: 401 Unauthorized
Progress to date:
-
Assuming this is a TR069 server (based on http response headers)
-
Built a brute force password cracker
With a telnet session open I get occasional http errors printed (to console?) while the brute force hacker is running (is this relevant?)
-
Found some interesting config in the routers memory!
-
Managed to open a shell to the router's OS
-
Scanned the router binary files for interesting text
-
-
Found some passwords in the router configuration, possibly some callbacks to verizon. More investigation is warranted
Failures to date:
-
Shellshock vulnerabilities appear mitigated, possibly due to limited OS commands
-
Obvious passwords (including those mentioned online) do not work
-
Router source code from ActionTEC has nothing immediately obvious
-
Attempts to decrypt the 8 char password in the memory dump have failed
Failures > Progress